Helm/Vault: Difference between revisions
Jump to navigation
Jump to search
| (32 intermediate revisions by the same user not shown) | |||
| Line 19: | Line 19: | ||
export KUBECONFIG="${HOME}/.kube/dev-kubeconfig.yaml" | export KUBECONFIG="${HOME}/.kube/dev-kubeconfig.yaml" | ||
export KUBECONFIG="${HOME}/.kube/gcp-kubeconfig.yaml" | export KUBECONFIG="${HOME}/.kube/gcp-kubeconfig.yaml" | ||
export KUBECONFIG="${HOME}/.kube/lke-kubeconfig.yaml" | |||
export KUBECONFIG="${HOME}/.kube/config" | export KUBECONFIG="${HOME}/.kube/config" | ||
</syntaxhighlight> | </syntaxhighlight> | ||
| Line 25: | Line 26: | ||
<syntaxhighlight lang='bash'> | <syntaxhighlight lang='bash'> | ||
cat <<'EXE'| sudo bash | cat <<'EXE'| sudo bash | ||
mkdir -p /var/minikube/pvc/vault/data-vault-0/ | |||
chown -R | chown -R 100:1000 /var/minikube/pvc/vault/ | ||
chmod -R 700 /var/minikube/pvc/vault/ | |||
EXE | EXE | ||
</syntaxhighlight> | </syntaxhighlight> | ||
| Line 41: | Line 43: | ||
helm show values hashicorp/vault --version=0.31.0|less | helm show values hashicorp/vault --version=0.31.0|less | ||
</syntaxhighlight> | </syntaxhighlight> | ||
|- | |- | ||
|valign='top' style='width:50%'| | |valign='top' style='width:50%'| | ||
| Line 61: | Line 62: | ||
---- | ---- | ||
* [[K8s/Storage#Storage » Persistent Volume|Skipped » Find More 👉 Storage » Persistent Volume]] | * [[K8s/Storage#Storage » Persistent Volume|Skipped » Find More 👉 Storage » Persistent Volume]] | ||
|- | |||
!scope='col'| Persistent Volume | |||
!scope='col'| Persistent Volume Claim | |||
|- | |- | ||
|valign='top'| | |valign='top'| | ||
| Line 107: | Line 111: | ||
YML | YML | ||
</syntaxhighlight> | </syntaxhighlight> | ||
|- | |||
!scope='col'| Install | |||
!scope='col'| Notes | |||
|- | |- | ||
|valign='top'| | |valign='top'| | ||
| Line 132: | Line 139: | ||
cpu: 250m | cpu: 250m | ||
limits: | limits: | ||
memory: | memory: 512Mi | ||
cpu: | cpu: 500m | ||
ingress: | ingress: | ||
enabled: true | enabled: true | ||
annotations: | annotations: | ||
kubernetes.io/ingress.class: nginx | kubernetes.io/ingress.class: nginx | ||
ingressClassName: nginx | ingressClassName: nginx | ||
hosts: | hosts: | ||
- host: vault.shahed.biz.ops | - host: vault.shahed.biz.ops | ||
volumes: | |||
- name: data-vault-0 | |||
persistentVolumeClaim: | |||
claimName: data-vault-0 | |||
volumeMounts: | |||
- readOnly: false | |||
name: data-vault-0 | |||
mountPath: /vault/data | |||
dataStorage: | dataStorage: | ||
size: | size: 1Gi | ||
enabled: | enabled: false | ||
storageClass: standard | storageClass: standard | ||
dev: | dev: | ||
enabled: false | enabled: false | ||
| Line 157: | Line 168: | ||
</syntaxhighlight> | </syntaxhighlight> | ||
|valign='top'| | |valign='top'| | ||
|- | |||
!scope='col'| Operator Init | |||
!scope='col'| Key Shares | |||
|- | |||
|valign='top'| | |||
<syntaxhighlight lang='bash'> | |||
sudo sh -c 'ls -alh /var/minikube/pvc/vault/data-vault-0/*' | |||
kubectl -n vault exec -it svc/vault -- vault operator init | |||
kubectl -n vault exec -it svc/vault -- vault status | |||
kubectl -n vault exec -it svc/vault -- ash | |||
:' | |||
vault operator init | |||
vault operator unseal | |||
vault status | |||
' | |||
</syntaxhighlight> | |||
|valign='top'| | |||
'''Unseal Key 1:''' /bvRmLPLF8MnfOQQWrhdqAmLBSKfNtSSkcyWY/uXZ0+F | |||
'''Unseal Key 2:''' Jh5mA+DwX/zlU+3jvxlgNarSzAOBRHvNcF3QOoGtzl/h | |||
'''Unseal Key 3:''' DqUWoe6MN6oDKi3bYoZuXSbT0ZpT0/Pbg0kpTkhkUfVP | |||
'''Unseal Key 4:''' rr5filRlKfkJL27iS0hUMDEtK4z2f/Oo6I1PIxwe3FcG | |||
'''Unseal Key 5:''' zujb7p5mf9djpoo3+ELvlfgE60oRcwC6754e26LqFCJ7 | |||
'''Initial Root Token:''' hvs.40aTe1S58DWIstRk4bHPgESg | |||
Vault initialized with 5 key shares and a key threshold of 3. | |||
|- | |- | ||
|valign='top'| | |valign='top'| | ||
<syntaxhighlight lang='bash'> | <syntaxhighlight lang='bash'> | ||
helm status vault | helm -n=vault status vault | ||
helm get manifest vault | helm -n=vault get manifest vault | ||
</syntaxhighlight> | </syntaxhighlight> | ||
| Line 170: | Line 206: | ||
setsid open https://vault.shahed.biz.ops >/dev/null 2>&1 & | setsid open https://vault.shahed.biz.ops >/dev/null 2>&1 & | ||
</syntaxhighlight> | </syntaxhighlight> | ||
|} | |||
==Helm » Ingress== | |||
{|class='wikitable mw-collapsible mw-collapsed' | |||
!scope='col' style='text-align:left' colspan='2'| | |||
Vault » Ingress | |||
|- | |||
|valign='top' style='width:50%'| | |||
<syntaxhighlight lang='yaml'> | |||
cat <<'YML' | \ | |||
kubectl -n vault apply -f - | |||
--- | |||
apiVersion: cert-manager.io/v1 | |||
kind: Certificate | |||
metadata: | |||
name: vault-cert | |||
namespace: vault | |||
spec: | |||
secretName: vault-cert | |||
commonName: vault.shahed.biz.ops | |||
dnsNames: | |||
- vault.shahed.biz.ops | |||
duration: 8760h | |||
renewBefore: 720h | |||
privateKey: | |||
size: 256 | |||
encoding: PKCS8 | |||
algorithm: ECDSA | |||
rotationPolicy: Always | |||
usages: | |||
- digital signature | |||
- key encipherment | |||
- server auth | |||
- client auth | |||
subject: | |||
countries: ["BD"] | |||
provinces: ["Dhaka"] | |||
postalCodes: ["1500"] | |||
localities: ["Munshiganj"] | |||
organizations: ["Shahed, Inc."] | |||
organizationalUnits: ["vault.shahed.biz.ops"] | |||
streetAddresses: ["256 Khal East, Passport Office"] | |||
issuerRef: | |||
name: shahed-ecc-sub-ca-2025-k8s | |||
kind: ClusterIssuer | |||
YML | |||
</syntaxhighlight> | |||
|valign='top' style='width:50%'| | |||
'''Shahed_ECC_Root_CA_2025''' » Firefox » Settings » Certificates » View Certificates » Import | |||
<syntaxhighlight lang='bash'> | |||
cat <<'CRT' | \ | |||
sudo tee /usr/local/share/ca-certificates/Shahed_ECC_Root_CA_2025.crt >/dev/null | |||
-----BEGIN CERTIFICATE----- | |||
MIICVzCCAf0CFGUKRHOSLD3pqFU50HJvLeqYUPq6MAoGCCqGSM49BAMCMIGtMQsw | |||
CQYDVQQGEwJCRDEOMAwGA1UECAwFRGhha2ExEzARBgNVBAcMCk11bnNoaWdhbmox | |||
FTATBgNVBAoMDFNoYWhlZCwgSW5jLjEgMB4GA1UECwwXU2hhaGVkX0VDQ19Sb290 | |||
X0NBXzIwMjUxIDAeBgNVBAMMF1NoYWhlZF9FQ0NfUm9vdF9DQV8yMDI1MR4wHAYJ | |||
KoZIhvcNAQkBFg9pbmZvQHNoYWhlZC5iaXowHhcNMjUwODIzMDk1NzMxWhcNNDUw | |||
ODIzMDk1NzMxWjCBrTELMAkGA1UEBhMCQkQxDjAMBgNVBAgMBURoYWthMRMwEQYD | |||
VQQHDApNdW5zaGlnYW5qMRUwEwYDVQQKDAxTaGFoZWQsIEluYy4xIDAeBgNVBAsM | |||
F1NoYWhlZF9FQ0NfUm9vdF9DQV8yMDI1MSAwHgYDVQQDDBdTaGFoZWRfRUNDX1Jv | |||
b3RfQ0FfMjAyNTEeMBwGCSqGSIb3DQEJARYPaW5mb0BzaGFoZWQuYml6MFkwEwYH | |||
KoZIzj0CAQYIKoZIzj0DAQcDQgAEbuTaY9T08dgixHd9zvDCfuVODsZJDLcdpNB1 | |||
38haHzpnfsl0fvKVfJP1nYwrKwskBDTWPDYC03nIHJJxi9js+TAKBggqhkjOPQQD | |||
AgNIADBFAiBUPr4rlKCuAD6FnoyZd/XKD/PvbzafUd4ZnRPFvSw3gQIhAMI+5v7a | |||
ea5K8PaGppAIi/55yHqYlXLgaMB4ohu3OsGw | |||
-----END CERTIFICATE----- | |||
CRT | |||
sudo update-ca-certificates --fresh | |||
sudo update-ca-certificates | |||
</syntaxhighlight> | |||
|- | |||
|valign='top'| | |||
<syntaxhighlight lang='yaml'> | |||
cat <<'YML' | \ | |||
kubectl -n vault patch ingress/vault --patch-file=/dev/stdin | |||
--- | |||
metadata: | |||
annotations: | |||
cert-manager.io/cluster-issuer: shahed-ecc-sub-ca-2025-k8s | |||
spec: | |||
tls: | |||
- hosts: | |||
- vault.shahed.biz.ops | |||
secretName: vault-cert | |||
YML | |||
</syntaxhighlight> | |||
|valign='top'| | |||
<syntaxhighlight lang='yaml'> | |||
cat <<'YML' | \ | |||
kubectl -n vault patch ingress/vault --patch-file=/dev/stdin | |||
--- | |||
metadata: | |||
annotations: | |||
cert-manager.io/cluster-issuer: null | |||
spec: | |||
tls: null | |||
YML | |||
</syntaxhighlight> | |||
|- | |||
|valign='top'| | |||
<syntaxhighlight lang='bash'> | |||
setsid open http://vault.shahed.biz.ops >/dev/null 2>&1 & | |||
setsid open https://vault.shahed.biz.ops >/dev/null 2>&1 & | |||
</syntaxhighlight> | |||
|valign='top'| | |||
|} | |||
==Helm » Config== | |||
{|class='wikitable mw-collapsible' | |||
!scope='col' style='text-align:left' colspan='2'| | |||
Helm » Config | |||
|- | |||
!scope='col' style='width:50%'| Scale » Down | |||
!scope='col' style='width:50%'| Scale » Up | |||
|- | |||
|valign='top'| | |||
<syntaxhighlight lang='bash'> | |||
# horizontal scale down or shutdown | |||
kubectl -n vault scale sts/vault --replicas=0 | |||
</syntaxhighlight> | |||
|valign='top'| | |||
<syntaxhighlight lang='bash'> | |||
# horizontal scale up or startup | |||
kubectl -n vault scale sts/vault --replicas=0 | |||
</syntaxhighlight> | |||
|} | |||
==Helm » Debug== | |||
{|class='wikitable mw-collapsible' | |||
!scope='col' style='text-align:left'| | |||
Helm » Debug | |||
|- | |||
|valign='top'| | |||
<syntaxhighlight lang='bash'> | |||
kubectl -n vault exec -it $(kubectl -n vault get pod -l component=webhook -o name) -c sidecar-injector -- ash | |||
kubectl -n vault exec -it $(kubectl -n vault get pod -l component=webhook -o name) -- ash | |||
kubectl -n vault exec -it svc/vault -c vault -- ash | |||
kubectl -n vault exec -it svc/vault -- ash | |||
kubectl -n vault exec -it svc/vault -c vault -- cat /etc/resolv.conf | |||
kubectl -n vault exec -it svc/vault -c vault -- cat /etc/hosts | |||
kubectl -n vault logs -f -l component=webhook -c sidecar-injector | |||
kubectl -n vault logs -f svc/vault -c vault | |||
kubectl -n vault logs -f svc/vault | |||
</syntaxhighlight> | |||
|} | |||
==Helm » Rollout== | |||
{|class='wikitable mw-collapsible mw-collapsed' | |||
!scope='col' style='text-align:left' colspan='2'| | |||
Vault » Rollout | |||
|- | |||
|valign='top' style='width:50%'| | |||
<syntaxhighlight lang='bash'> | |||
kubectl -n vault annotate sts/vault --overwrite \ | |||
kubernetes.io/change-cause="CKI-1| Initial Deployment" | |||
</syntaxhighlight> | |||
|valign='top' style='width:50%'| | |||
<syntaxhighlight lang='bash'> | |||
kubectl -n vault rollout history sts/vault | |||
kubectl -n vault scale sts/vault --replicas=0 | |||
</syntaxhighlight> | |||
|- | |||
!scope='col' style='text-align:left' style='width:50%'| | |||
Vault » Rollout | |||
!scope='col' style='text-align:left' style='width:50%'| | |||
Vault » Revert | |||
|- | |||
|valign='top' style='width:50%'| | |||
<syntaxhighlight lang='yaml'> | |||
cat <<'YML' | \ | |||
kubectl -n vault patch sts/vault --patch-file=/dev/stdin | |||
--- | |||
spec: | |||
template: | |||
spec: | |||
containers: | |||
- name: vault | |||
resources: | |||
requests: | |||
memory: 128Mi | |||
cpu: 100m | |||
limits: | |||
memory: 256Mi | |||
cpu: 250m | |||
YML | |||
</syntaxhighlight> | |||
|valign='top' style='width:50%'| | |||
<syntaxhighlight lang='yaml'> | |||
cat <<'YML' | \ | |||
kubectl -n vault patch sts/vault --patch-file=/dev/stdin | |||
--- | |||
spec: | |||
template: | |||
spec: | |||
containers: | |||
- name: vault | |||
resources: | |||
requests: | |||
memory: 256Mi | |||
cpu: 250m | |||
limits: | |||
memory: 512Mi | |||
cpu: 500m | |||
YML | |||
</syntaxhighlight> | |||
|- | |||
|valign='top' style='width:50%'| | |||
<syntaxhighlight lang='bash'> | |||
kubectl -n vault annotate sts/vault --overwrite \ | |||
kubernetes.io/change-cause="CKI-2| Resources Updated" | |||
</syntaxhighlight> | |||
|valign='top' style='width:50%'| | |||
<syntaxhighlight lang='bash'> | |||
kubectl -n vault scale sts/vault --replicas=1 | |||
kubectl -n vault rollout history sts/vault | |||
</syntaxhighlight> | |||
|- | |||
|valign='top' style='width:50%'| | |||
<syntaxhighlight lang='bash'> | |||
kubectl -n vault rollout undo sts/vault --to-revision=1 | |||
kubectl -n vault rollout history sts/vault | |||
</syntaxhighlight> | |||
|valign='top' style='width:50%'| | |||
<syntaxhighlight lang='bash'> | |||
kubectl -n vault annotate sts/vault --overwrite \ | |||
kubernetes.io/change-cause="CKI-3| Revert Back to CKI-1" | |||
</syntaxhighlight> | |||
|- | |||
|valign='top' style='width:50%'| | |||
<syntaxhighlight lang='bash'> | |||
kubectl -n vault get sts/vault -o yaml \ | |||
| yq -P '.spec.template.spec.containers[]|select(.name == "vault")|.resources' | |||
</syntaxhighlight> | |||
|valign='top' style='width:50%'| | |||
<syntaxhighlight lang='bash'> | |||
kubectl -n vault get sts/vault -o yaml \ | |||
-o jsonpath='{.spec.template.spec.containers[?(@.name=="vault")].resources}' | yq -P | |||
</syntaxhighlight> | |||
|} | |||
==Helm » Uninstall== | |||
{|class='wikitable mw-collapsible mw-collapsed' | |||
!scope='col' style='text-align:left' colspan='2'| | |||
Helm » Uninstall | |||
|- | |||
|valign='top' style='width:50%'| | |||
<syntaxhighlight lang='bash'> | |||
helm -n vault status vault | |||
helm -n vault get all vault | |||
helm -n vault uninstall vault | |||
</syntaxhighlight> | |||
|valign='top' style='width:50%'| | |||
<syntaxhighlight lang='bash'> | |||
kubectl -n vault delete pvc --all | |||
kubectl delete ns vault | |||
kubectl delete pv vault-data-vault-0 | |||
</syntaxhighlight> | |||
|} | |||
==Vault » Install== | |||
{|class='wikitable mw-collapsible' | |||
!scope='col' style='text-align:left' colspan='2'| | |||
Vault » Install | |||
|- | |||
|valign='top' style='width:50%'| | |||
<syntaxhighlight lang='bash'> | |||
curl -fsSL https://apt.releases.hashicorp.com/gpg\ | |||
| sudo tee /etc/apt/keyrings/hashicorp.asc >/dev/null | |||
DISTRIBUTION=$(. /etc/os-release && echo "${VERSION_CODENAME}") | |||
cat << SRC | sudo tee /etc/apt/sources.list.d/hashicorp.list >/dev/null | |||
deb [arch=$(dpkg --print-architecture)\ | |||
signed-by=/etc/apt/keyrings/hashicorp.asc]\ | |||
https://apt.releases.hashicorp.com ${DISTRIBUTION} main | |||
SRC | |||
</syntaxhighlight> | |||
|valign='top' style='width:50%'| | |||
<syntaxhighlight lang='bash'> | |||
cat <<'EXE' | sudo bash | |||
apt-get update && apt-get install -y vault | |||
systemctl disable --now vault.service | |||
systemctl stop vault.service | |||
systemctl mask vault.service | |||
systemctl status vault.service | |||
vault version | |||
which vault | |||
EXE | |||
</syntaxhighlight> | |||
|- | |||
|valign='top'| | |||
<syntaxhighlight lang='bash'> | |||
export VAULT_TOKEN='hvs.40aTe1S58DWIstRk4bHPgESg' | |||
export VAULT_ADDR='https://vault.shahed.biz.ops' | |||
vault status | |||
</syntaxhighlight> | |||
|valign='top'| | |||
<syntaxhighlight lang='bash'> | |||
export VAULT_SKIP_VERIFY=true | |||
export VAULT_FORMAT=yaml | |||
vault login | |||
</syntaxhighlight> | |||
|} | |||
==Playground== | |||
{|class='wikitable mw-collapsible mw-collapsed' | |||
!scope='col' style='text-align:left' colspan='2'| | |||
Playground | |||
|- | |||
|valign='top' colspan='2'| | |||
<syntaxhighlight lang='bash'> | |||
helm -n vault install vault hashicorp/vault --version=0.30.1 | |||
helm -n vault upgrade -i vault hashicorp/vault --version=0.31.0 | |||
helm show values hashicorp/vault --version=0.31.0|less | |||
</syntaxhighlight> | |||
|- | |||
|valign='top' colspan='2'| | |||
<syntaxhighlight lang='bash'> | |||
kubectl -n vault exec -it svc/vault -c vault -- bash | |||
kubectl -n vault logs -f svc/vault -c vault | |||
kubectl -n vault logs -f svc/vault | |||
</syntaxhighlight> | |||
|- | |||
|valign='top' colspan='2'| | |||
<syntaxhighlight lang='bash'> | |||
kubectl config --kubeconfig=${HOME}/.kube/aws-kubeconfig.yaml view --flatten | |||
kubectl config --kubeconfig=${HOME}/.kube/dev-kubeconfig.yaml view --flatten | |||
kubectl config --kubeconfig=${HOME}/.kube/gcp-kubeconfig.yaml view --flatten | |||
kubectl config --kubeconfig=${HOME}/.kube/config view --flatten | |||
</syntaxhighlight> | |||
|- | |||
|valign='top' style='width:50%'| | |||
<syntaxhighlight lang='bash'> | |||
kubectl -n vault delete all --all | |||
kubectl -n vault delete ing --all | |||
kubectl -n vault delete sts --all | |||
</syntaxhighlight> | |||
|valign='top' style='width:50%'| | |||
<syntaxhighlight lang='bash'> | |||
kubectl delete pv vault-data-vault-0 | |||
kubectl -n vault delete svc --all | |||
kubectl -n vault delete pvc --all | |||
</syntaxhighlight> | |||
|- | |||
|valign='top'| | |||
<syntaxhighlight lang='bash'> | |||
kubectl -n vault rollout history sts/vault | |||
kubectl -n vault rollout restart sts/vault | |||
kubectl -n vault rollout status sts/vault | |||
</syntaxhighlight> | |||
|valign='top'| | |||
<syntaxhighlight lang='bash'> | |||
kubectl -n vault exec -it svc/vault -c vault -- ash | |||
kubectl -n vault logs -f svc/vault -c vault | |||
kubectl -n vault logs -f svc/vault | |||
</syntaxhighlight> | |||
|- | |||
|valign='top'| | |||
<syntaxhighlight lang='bash'> | |||
sudo sh -c 'ls -alh /var/minikube/pvc/vault/data-vault-0/*' | |||
sudo sh -c 'du -sh /var/minikube/pvc/vault/data-vault-0/*' | |||
sudo sh -c 'du -sh /var/minikube/pvc/vault/*' | |||
</syntaxhighlight> | |||
|valign='top'| | |||
|} | |} | ||
| Line 178: | Line 605: | ||
|- | |- | ||
|valign='top' style='width:33%'| | |valign='top' style='width:33%'| | ||
* [ | * [[Helm/External Secrets Operator|Helm » External Secrets Operator]] | ||
* [[Helm/Vault Secrets Operator|Helm » Vault Secrets Operator]] | |||
* [[Helm/Prometheus Stack|Helm » Prometheus Stack]] | * [[Helm/Prometheus Stack|Helm » Prometheus Stack]] | ||
* [[Helm/Cert Manager|Helm » Cert Manager]] | * [[Helm/Cert Manager|Helm » Cert Manager]] | ||
* [[Helm/Reloader|Helm » Reloader]] | |||
* [[Helm/Harbor|Helm » Harbor]] | * [[Helm/Harbor|Helm » Harbor]] | ||
* [[Helm/Pi-Hole|Helm » Pi-Hole]] | * [[Helm/Pi-Hole|Helm » Pi-Hole]] | ||
| Line 187: | Line 616: | ||
|valign='top' style='width:34%'| | |valign='top' style='width:34%'| | ||
* [https://developer.hashicorp.com/vault/tutorials/secrets-management Vault » Docs » Secrets management] | |||
* [https://developer.hashicorp.com/vault/tutorials/pki/pki-engine Vault » Docs » Build your CA] | |||
* [https://developer.hashicorp.com/vault/tutorials/monitoring Vault » Docs » Monitoring] | |||
* [https://developer.hashicorp.com/vault/tutorials/get-started/learn-ui Vault » Docs » How] | |||
* [https://developer.hashicorp.com/vault/tutorials/get-started/why-use-vault Vault » Docs » Why] | |||
* [https://developer.hashicorp.com/vault/install Vault » Install] | |||
* [[Vault]] | |||
|valign='top' style='width:33%'| | |valign='top' style='width:33%'| | ||
Latest revision as of 01:36, 25 January 2026
helm repo add hashicorp https://helm.releases.hashicorp.com
helm repo update && helm repo list
kubectl config get-contexts
|
Helm » Context
|
Helm » Context | |
|---|---|
export KUBECONFIG="${HOME}/.kube/aws-kubeconfig.yaml"
export KUBECONFIG="${HOME}/.kube/dev-kubeconfig.yaml"
export KUBECONFIG="${HOME}/.kube/gcp-kubeconfig.yaml"
export KUBECONFIG="${HOME}/.kube/lke-kubeconfig.yaml"
export KUBECONFIG="${HOME}/.kube/config"
|
cat <<'EXE'| sudo bash
mkdir -p /var/minikube/pvc/vault/data-vault-0/
chown -R 100:1000 /var/minikube/pvc/vault/
chmod -R 700 /var/minikube/pvc/vault/
EXE
|
Helm » Install
|
Helm » Install | |
|---|---|
helm show values hashicorp/vault --version=0.30.1|less
helm show values hashicorp/vault --version=0.31.0|less
| |
export KUBECONFIG="${HOME}/.kube/shahed-ab-kubeconfig.yaml"
kubectl create ns vault || true
|
kubectl get ns|grep vault
kubectl delete ns vault || true
|
|
| |
| Persistent Volume | Persistent Volume Claim |
cat <<'YML'| \
kubectl apply -f -
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: vault-data-vault-0
spec:
capacity:
storage: 1Gi
accessModes:
- ReadWriteOnce
persistentVolumeReclaimPolicy: Retain
storageClassName: hostpath
hostPath:
path: /var/hostpath_pv/vault/data-vault-0
type: DirectoryOrCreate
YML
|
cat << YML | \
kubectl apply -f -
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
labels:
app.kubernetes.io/name: vault
name: data-vault-0
namespace: vault
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
storageClassName: hostpath
volumeName: vault-data-vault-0
YML
|
| Install | Notes |
cat <<'YML' | \
helm -n=vault upgrade -i vault hashicorp/vault --version=0.31.0 -f -
---
global:
enabled: true
injector:
replicas: 1
image:
repository: hashicorp/vault-k8s
tag: 1.7.0
agentImage:
repository: hashicorp/vault
tag: 1.20.1
server:
image:
repository: hashicorp/vault
tag: 1.20.1
resources:
requests:
memory: 256Mi
cpu: 250m
limits:
memory: 512Mi
cpu: 500m
ingress:
enabled: true
annotations:
kubernetes.io/ingress.class: nginx
ingressClassName: nginx
hosts:
- host: vault.shahed.biz.ops
volumes:
- name: data-vault-0
persistentVolumeClaim:
claimName: data-vault-0
volumeMounts:
- readOnly: false
name: data-vault-0
mountPath: /vault/data
dataStorage:
size: 1Gi
enabled: false
storageClass: standard
dev:
enabled: false
ui:
enabled: true
serviceType: ClusterIP
YML
|
|
| Operator Init | Key Shares |
sudo sh -c 'ls -alh /var/minikube/pvc/vault/data-vault-0/*'
kubectl -n vault exec -it svc/vault -- vault operator init
kubectl -n vault exec -it svc/vault -- vault status
kubectl -n vault exec -it svc/vault -- ash
:'
vault operator init
vault operator unseal
vault status
'
|
Unseal Key 1: /bvRmLPLF8MnfOQQWrhdqAmLBSKfNtSSkcyWY/uXZ0+F Unseal Key 2: Jh5mA+DwX/zlU+3jvxlgNarSzAOBRHvNcF3QOoGtzl/h Unseal Key 3: DqUWoe6MN6oDKi3bYoZuXSbT0ZpT0/Pbg0kpTkhkUfVP Unseal Key 4: rr5filRlKfkJL27iS0hUMDEtK4z2f/Oo6I1PIxwe3FcG Unseal Key 5: zujb7p5mf9djpoo3+ELvlfgE60oRcwC6754e26LqFCJ7 Initial Root Token: hvs.40aTe1S58DWIstRk4bHPgESg Vault initialized with 5 key shares and a key threshold of 3. |
helm -n=vault status vault
helm -n=vault get manifest vault
|
telnet vault.shahed.biz.ops 443
setsid open https://vault.shahed.biz.ops >/dev/null 2>&1 &
|
Helm » Ingress
|
Vault » Ingress | |
|---|---|
cat <<'YML' | \
kubectl -n vault apply -f -
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: vault-cert
namespace: vault
spec:
secretName: vault-cert
commonName: vault.shahed.biz.ops
dnsNames:
- vault.shahed.biz.ops
duration: 8760h
renewBefore: 720h
privateKey:
size: 256
encoding: PKCS8
algorithm: ECDSA
rotationPolicy: Always
usages:
- digital signature
- key encipherment
- server auth
- client auth
subject:
countries: ["BD"]
provinces: ["Dhaka"]
postalCodes: ["1500"]
localities: ["Munshiganj"]
organizations: ["Shahed, Inc."]
organizationalUnits: ["vault.shahed.biz.ops"]
streetAddresses: ["256 Khal East, Passport Office"]
issuerRef:
name: shahed-ecc-sub-ca-2025-k8s
kind: ClusterIssuer
YML
|
Shahed_ECC_Root_CA_2025 » Firefox » Settings » Certificates » View Certificates » Import cat <<'CRT' | \
sudo tee /usr/local/share/ca-certificates/Shahed_ECC_Root_CA_2025.crt >/dev/null
-----BEGIN CERTIFICATE-----
MIICVzCCAf0CFGUKRHOSLD3pqFU50HJvLeqYUPq6MAoGCCqGSM49BAMCMIGtMQsw
CQYDVQQGEwJCRDEOMAwGA1UECAwFRGhha2ExEzARBgNVBAcMCk11bnNoaWdhbmox
FTATBgNVBAoMDFNoYWhlZCwgSW5jLjEgMB4GA1UECwwXU2hhaGVkX0VDQ19Sb290
X0NBXzIwMjUxIDAeBgNVBAMMF1NoYWhlZF9FQ0NfUm9vdF9DQV8yMDI1MR4wHAYJ
KoZIhvcNAQkBFg9pbmZvQHNoYWhlZC5iaXowHhcNMjUwODIzMDk1NzMxWhcNNDUw
ODIzMDk1NzMxWjCBrTELMAkGA1UEBhMCQkQxDjAMBgNVBAgMBURoYWthMRMwEQYD
VQQHDApNdW5zaGlnYW5qMRUwEwYDVQQKDAxTaGFoZWQsIEluYy4xIDAeBgNVBAsM
F1NoYWhlZF9FQ0NfUm9vdF9DQV8yMDI1MSAwHgYDVQQDDBdTaGFoZWRfRUNDX1Jv
b3RfQ0FfMjAyNTEeMBwGCSqGSIb3DQEJARYPaW5mb0BzaGFoZWQuYml6MFkwEwYH
KoZIzj0CAQYIKoZIzj0DAQcDQgAEbuTaY9T08dgixHd9zvDCfuVODsZJDLcdpNB1
38haHzpnfsl0fvKVfJP1nYwrKwskBDTWPDYC03nIHJJxi9js+TAKBggqhkjOPQQD
AgNIADBFAiBUPr4rlKCuAD6FnoyZd/XKD/PvbzafUd4ZnRPFvSw3gQIhAMI+5v7a
ea5K8PaGppAIi/55yHqYlXLgaMB4ohu3OsGw
-----END CERTIFICATE-----
CRT
sudo update-ca-certificates --fresh
sudo update-ca-certificates
|
cat <<'YML' | \
kubectl -n vault patch ingress/vault --patch-file=/dev/stdin
---
metadata:
annotations:
cert-manager.io/cluster-issuer: shahed-ecc-sub-ca-2025-k8s
spec:
tls:
- hosts:
- vault.shahed.biz.ops
secretName: vault-cert
YML
|
cat <<'YML' | \
kubectl -n vault patch ingress/vault --patch-file=/dev/stdin
---
metadata:
annotations:
cert-manager.io/cluster-issuer: null
spec:
tls: null
YML
|
setsid open http://vault.shahed.biz.ops >/dev/null 2>&1 &
setsid open https://vault.shahed.biz.ops >/dev/null 2>&1 &
|
|
Helm » Config
|
Helm » Config | |
|---|---|
| Scale » Down | Scale » Up |
# horizontal scale down or shutdown
kubectl -n vault scale sts/vault --replicas=0
|
# horizontal scale up or startup
kubectl -n vault scale sts/vault --replicas=0
|
Helm » Debug
|
Helm » Debug |
|---|
kubectl -n vault exec -it $(kubectl -n vault get pod -l component=webhook -o name) -c sidecar-injector -- ash
kubectl -n vault exec -it $(kubectl -n vault get pod -l component=webhook -o name) -- ash
kubectl -n vault exec -it svc/vault -c vault -- ash
kubectl -n vault exec -it svc/vault -- ash
kubectl -n vault exec -it svc/vault -c vault -- cat /etc/resolv.conf
kubectl -n vault exec -it svc/vault -c vault -- cat /etc/hosts
kubectl -n vault logs -f -l component=webhook -c sidecar-injector
kubectl -n vault logs -f svc/vault -c vault
kubectl -n vault logs -f svc/vault
|
Helm » Rollout
|
Vault » Rollout | |
|---|---|
kubectl -n vault annotate sts/vault --overwrite \
kubernetes.io/change-cause="CKI-1| Initial Deployment"
|
kubectl -n vault rollout history sts/vault
kubectl -n vault scale sts/vault --replicas=0
|
|
Vault » Rollout |
Vault » Revert |
cat <<'YML' | \
kubectl -n vault patch sts/vault --patch-file=/dev/stdin
---
spec:
template:
spec:
containers:
- name: vault
resources:
requests:
memory: 128Mi
cpu: 100m
limits:
memory: 256Mi
cpu: 250m
YML
|
cat <<'YML' | \
kubectl -n vault patch sts/vault --patch-file=/dev/stdin
---
spec:
template:
spec:
containers:
- name: vault
resources:
requests:
memory: 256Mi
cpu: 250m
limits:
memory: 512Mi
cpu: 500m
YML
|
kubectl -n vault annotate sts/vault --overwrite \
kubernetes.io/change-cause="CKI-2| Resources Updated"
|
kubectl -n vault scale sts/vault --replicas=1
kubectl -n vault rollout history sts/vault
|
kubectl -n vault rollout undo sts/vault --to-revision=1
kubectl -n vault rollout history sts/vault
|
kubectl -n vault annotate sts/vault --overwrite \
kubernetes.io/change-cause="CKI-3| Revert Back to CKI-1"
|
kubectl -n vault get sts/vault -o yaml \
| yq -P '.spec.template.spec.containers[]|select(.name == "vault")|.resources'
|
kubectl -n vault get sts/vault -o yaml \
-o jsonpath='{.spec.template.spec.containers[?(@.name=="vault")].resources}' | yq -P
|
Helm » Uninstall
|
Helm » Uninstall | |
|---|---|
helm -n vault status vault
helm -n vault get all vault
helm -n vault uninstall vault
|
kubectl -n vault delete pvc --all
kubectl delete ns vault
kubectl delete pv vault-data-vault-0
|
Vault » Install
|
Vault » Install | |
|---|---|
curl -fsSL https://apt.releases.hashicorp.com/gpg\
| sudo tee /etc/apt/keyrings/hashicorp.asc >/dev/null
DISTRIBUTION=$(. /etc/os-release && echo "${VERSION_CODENAME}")
cat << SRC | sudo tee /etc/apt/sources.list.d/hashicorp.list >/dev/null
deb [arch=$(dpkg --print-architecture)\
signed-by=/etc/apt/keyrings/hashicorp.asc]\
https://apt.releases.hashicorp.com ${DISTRIBUTION} main
SRC
|
cat <<'EXE' | sudo bash
apt-get update && apt-get install -y vault
systemctl disable --now vault.service
systemctl stop vault.service
systemctl mask vault.service
systemctl status vault.service
vault version
which vault
EXE
|
export VAULT_TOKEN='hvs.40aTe1S58DWIstRk4bHPgESg'
export VAULT_ADDR='https://vault.shahed.biz.ops'
vault status
|
export VAULT_SKIP_VERIFY=true
export VAULT_FORMAT=yaml
vault login
|
Playground
|
Playground | |
|---|---|
helm -n vault install vault hashicorp/vault --version=0.30.1
helm -n vault upgrade -i vault hashicorp/vault --version=0.31.0
helm show values hashicorp/vault --version=0.31.0|less
| |
kubectl -n vault exec -it svc/vault -c vault -- bash
kubectl -n vault logs -f svc/vault -c vault
kubectl -n vault logs -f svc/vault
| |
kubectl config --kubeconfig=${HOME}/.kube/aws-kubeconfig.yaml view --flatten
kubectl config --kubeconfig=${HOME}/.kube/dev-kubeconfig.yaml view --flatten
kubectl config --kubeconfig=${HOME}/.kube/gcp-kubeconfig.yaml view --flatten
kubectl config --kubeconfig=${HOME}/.kube/config view --flatten
| |
kubectl -n vault delete all --all
kubectl -n vault delete ing --all
kubectl -n vault delete sts --all
|
kubectl delete pv vault-data-vault-0
kubectl -n vault delete svc --all
kubectl -n vault delete pvc --all
|
kubectl -n vault rollout history sts/vault
kubectl -n vault rollout restart sts/vault
kubectl -n vault rollout status sts/vault
|
kubectl -n vault exec -it svc/vault -c vault -- ash
kubectl -n vault logs -f svc/vault -c vault
kubectl -n vault logs -f svc/vault
|
sudo sh -c 'ls -alh /var/minikube/pvc/vault/data-vault-0/*'
sudo sh -c 'du -sh /var/minikube/pvc/vault/data-vault-0/*'
sudo sh -c 'du -sh /var/minikube/pvc/vault/*'
|
|
References
|
References | ||
|---|---|---|